[pmwiki-users] very subtle bug in blocklist2 script

Patrick R. Michaud pmichaud at pobox.com
Sun Sep 11 10:39:11 CDT 2005


On Sat, Sep 10, 2005 at 01:39:45AM -0400, Neil Herber wrote:
> However, on a Windoze server, pages named "Blocklist" and BlockList" 
> (note cap "L") map to the same file. On my system the actual file 
> name was Blocklist, but I entered BlockList in the URL, which 
> retrieved the correct page, but failed on the page name match test 
> inside the Blocklist2 code.
> 
> This can probably be fixed with a case-insensitive comparison.

Perhaps not, because on Unix systems a case-insensitive comparison 
would mean that a spammer could enter any text desired on BlockList 
(with a capital 'L'), as well as "BLOCKLIST", "BlOCKLIST", 
"BlOcKlIsT", etc.

(Granted, on post-beta44 versions these alternate pages would 
all be blocked against edits, so it's not an issue there, but
for blocklists held in non-protected groups it could be 
an issue.)

I don't have a quick solution to this problem.  (Feel free to
enter it in PITS.)

Pm




More information about the pmwiki-users mailing list